Mikrotik + IPV6

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik + IPV6

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Topic # 236175 21-May-2018 21:08

Simply enabling the IPV6 package (disabled by default) causes the router to not be able to connect to the internet. PPPoE connect attempts fail with no useful information in the log.

Has someone else seen this weird issue before?

1 | 2

5310 posts

Uber Geek
+1 received by user: 1793

Reply # 2020081 21-May-2018 21:13

Not seen that, however, /system logging (and assuming winbox/webfig) add a new log type with no topics selected, and action memory. That should enable more info in the log to troubleshoot. Delete or disable that rule though when finished or it will overrun the log very quickly.

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Reply # 2020090 21-May-2018 21:40

For equally unknown reasons it has now decided to work as far as connecting. But I still don't have working IPV6.

The 'howtos' I have found so far indicate the way to do this with Mikrotik is to run a DHCPv6 client on the WAN interface. This does not appear to be working either showing status of "searching". Additionally, none of the advice topology I have found refloects how things are done here, leaving me to fill in the blanks.

Should this client run on vlan 10 or the pppoe interface?

Is the advice wrong and there is another way?

What I have done so far:

ipv6 / dhcpv6-client

interface = dialer0 (pppoe interface)

request = prefix

pool name = ipv6-pool

add default route = yes

MattR

186 posts

Master Geek
+1 received by user: 31

Reply # 2020488 22-May-2018 16:17

I've had no trouble running IPv6 on PPPoE on VLAN 10.

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

Which ISP are you with?

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Reply # 2020489 22-May-2018 16:19

MattR:

The DHCP Client should be listening on the interface where you get your IPv4 public IP - so if you're using PPPoE, it should be on the PPPoE interface.

I've never had the IPv6 module break IPv4. If you have a default-deny policy on your ipv6 firewall (as you should..) you'll need to allow DHCPv6

Which ISP are you with?

So my config should be "correct" then... I am with InspireNet.

The IPV6 module thing was weird. It appeared to break it but next time it worked... No explanation.

MattR

186 posts

Master Geek
+1 received by user: 31

Reply # 2020494 22-May-2018 16:58

I'm on 2degrees, so I'm just guessing here.

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

Edit: I see you've already got that..

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Reply # 2020495 22-May-2018 16:59

MattR:

In the DHCPv6 Client config, which requests do you have? Try "prefix" only - not info or address.

That's what I have, thanks.

As follows:

ipv6 / dhcpv6-client

interface = dialer0 (pppoe interface)

request = prefix

pool name = ipv6-pool

add default route = yes

MattR

186 posts

Master Geek
+1 received by user: 31

Reply # 2020516 22-May-2018 17:33

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

Are you firewalling icmp6 and/or udp/546?

Can't think of any other reason why it wouldn't work.

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Reply # 2020522 22-May-2018 17:42

MattR:

Inspire's IPv6 page says you need to email them to get it enabled, I assume you've done that?

Are you firewalling icmp6 and/or udp/546?

I was alocated a /56 at the time of setting up the account.

I don't see anything mentioned under IP / Firewall or IPV6 / Firewall.

But it doesn't say what the default is and I am not yet familiar enough with Mikrotik.

Is this something which needs to be explicitly set?

MattR

186 posts

Master Geek
+1 received by user: 31

Reply # 2020535 22-May-2018 18:10

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Reply # 2020578 22-May-2018 18:59

MattR:

default is allow, so you'll want to configure some rules. Leaving it open to the world is a very bad idea. Do IPv4 right now - there are multiple exploits that target the management interface of the Mikrotik unless it's a very recent OS version.

I have already restricted access to the management interface and it's the latest O/S. But good advice thanks.

raytaylor

3289 posts

Uber Geek
+1 received by user: 664

Trusted

Reply # 2020742 22-May-2018 21:25

One person supports this post

If you ask mikrotik support "It will be fixed in ROS 7"

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

MichaelNZ

Linux Systems Admin
987 posts

Ultimate Geek
+1 received by user: 166

Trusted

Integrity Tech Solutions

Subscriber

Reply # 2021121 23-May-2018 13:05

Inspire have fixed the issue (configuration problem at their end) and I now have IPV6 (yay!), however, all my DMZ IPV4 traffic is now showing at the remote end as originating from the WAN IP address and not the host's statically assigned publicly-routable IPV4 address.

I have covered the obvious bases - checked the host has it's correct IPV4 address configured. Check.

Plugged my Cisco back in and the problem is fixed so it's definately at my end.

It appears what is happening is the Mikrotik is NATing IPV4 even though it doesn't need to NAT hosts in the DMZ vlan.

Whether this is a consequence of enabling IPV6 or something I have just noticed, I don't know. I have only had the Mikrotik for about a week. I disabled IPV6 by stopping the DHCPv6 client and the issue persisisted.

Can anyone here shed some light on what is happening please? I will continue to Google for a resolution.

In Cisco terminology, I assume what's needed is to specify an internal interface for "nat inside".